One of the things I like best about the blogosphere is the tendency of us bloggers to loudly announce our disagreement, only to find that we're actually saying the same thing. Alex Hutton and Mike Rothman both took me to task for the recent rant on user awareness training. And they both made exactly the points I was trying to make.
From Rothman's post:
"Sure you can come up with a fancy brand name and "hook" for your training program. You can also give away nice stuff for folks that get it. Those are pretty simple marketing tactics. But the biggest secret in marketing? CONSISTENCY. Marketing is not a quick fix for anything. It takes years of consistent effort to build a "brand" and to influence anyone's behavior. So make up your posters and give away iPods for folks that do the right thing. But most of all - do something EVERY DAY to reinforce the message. Do not give up on your program."
That was one of the main points that I was making - we in security give up far, far too easily on security awareness training. In most places, it's treated as a "once a year" effort to satisfy some regulatory consultant, with very little focus on why it's successful. And that, by giving up on that effort so easily, we're losing out on a huge amount of the benefit of our security program - if 60%-80% of all loss is caused by users, then we could easily find that a significant effort (i.e. 20% of our time?) would cause a massive increase in our security posture.